Configuring iThemes Security for Your Shared-Hosting Site

iThemes Security is one of the most popular security plugins for WordPress. It truly covers a lot of essential steps for making your site run well, and keeping your site, and your information, safe from hackers. iThemes Security is excellent for you to get about as much security as you can do for yourself without studying hard.

There are so many options in iThemes Security, it can seem bewildering, or too complex. But you can learn how to configure each section of iThemes Security, for what works best for your site. Here are the settings I use, and the things to look at for how to decide which settings you want.

What Does iThemes Security Cover?

Security Check — Ensure that your site is using the recommended features and settings.

What Does iThemes Security Pro Add?

Malware Scan Scheduling — Protect your site with automated malware scans. When this feature is enabled, the site will be automatically scanned each day. If a problem is found, an email is sent to select users.

Privilege Escalation — Allow administrators to temporarily grant extra access to a user of the site for a specified period of time.

Password Expiration — Strengthen the passwords on the site with automated password expiration.

reCAPTCHA — Protect your site from bots by verifying that the person submitting comments or logging in is indeed human.

Settings Import and Export — Export your settings as a backup or to import on other sites for quicker setup.

User Security Check — Every user on your site affects overall security. See how your users might be affecting your security and take action when needed.

Version Management — Protect your site when outdated software is not updated quickly enough.

Security Check

If you want the quickest configuration, get the most important security features without setting up anything that takes more work, try this.

Ensure that your site is using these recommended features and settings:

Banned Users

Database Backups — However, if you have another program that is making a database backup, you should only use one; dedicated backup programs (such as Backup Buddy or BackWPup) are better.

Local Brute Force Protection

Network Brute Force Protection

Strong Passwords

WordPress Tweaks

Global Settings

Configure basic settings that control how iThemes Security functions.

Write to Files: Whether or not iThemes Security should be allowed to write to wp-config.php and .htaccess automatically. If disabled you will need to manually place configuration options in those files. (The text to use for your options, is provided.)

These two files are key malware targets, so disabling the ability for anyone but you to read these files or write changes to them, is very good. (Uses the Linux file permission settings.) Many plugins will write settings to these files; you’ll have to remember to enable write permissions, configure a plugin, and turn write permissions back off. If a plugin “doesn’t save some settings”, it might be failing to make changes to wp-config.php or .htaccess; well-written plugins will let you know what to manually put in these files if needed.

Notification Email: The email address(es) all security notifications will be sent to. One address per line.

Send Digest Email: During periods of heavy attack or other times a security plugin can generate a LOT of email just telling you that it is doing its job. Turning “digest emails” on will reduce the emails from this plugin to no more than one per day for any notification.

Backup Delivery Email: The email address(es) all database backups will be sent to. One address per line. But, I recommend use a backup plugin instead of iThemes database-only backup.

Blacklist Repeat Offender: If this box is checked the IP address of the offending computer will be added to the “Ban Users” blacklist after reaching the number of lockouts listed. Trying to block every “bad guy” by their IP address is a waste of time, since many hackers work in teams of thousands of computers, and rotate parts of the attack among different IP addresses. Using the “Enable Blacklist Repeat Offender” setting works automatically based on their behavior, so you don’t have to manually add their IP address to a list. Suggestion: check mark this box.

Blacklist Threshold: The number of lockouts per IP before the IP address is banned permanently from this site. Suggestion: 3. No courtesy to bad guys.

Blacklist Lookback Period: How many days should a lockout be remembered to meet the blacklist count. Suggestion: 15 days, and also try 30 days. I don’t know if making this period long affects your site performance, nor if it catches more hackers (often hackers will set up malware for future use, to avoid detection and to have your site available when there is a “big project” to have your site join in).

Lockout Period: The length of time a host or user will be banned from this site after hitting the limit of bad logins. Suggestion: 90 days. Often specific hackers try your site in waves, and then ignore your site for a while. If they misbehave again, they’ll get re-added to the lockout list.

Lockout White List: Specify hosts that will not be locked out from your site. This will keep you from locking yourself out of any features if you should trigger a lockout. Please note this does not override “away mode” and will only prevent a temporary ban. Should a permanent ban be triggered you will still be added to the “Ban Users” list unless the IP address is also white listed in that section. Suggestion: add your home and work and cell phone IP addresses; don’t add IP addresses you occasionally use.

Email Lockout Notifications: This feature will trigger an email to be sent to the email addresses listed in the Notification Email setting whenever a host or user is locked out of the system.

If your site is being attacked, you could get thousands of emails. Your hosting company can do something about this; you probably can not. Suggestion: Do not enable this notification. Or, send security notifications to a GMail account dedicated only for that use.

Log Type: Database Only or File Only or Both. iThemes Security can log events in multiple ways, each with advantages and disadvantages. Database Only puts all events in the database with your posts and other WordPress data. This makes it easy to retrieve and process but can be slower if the database table gets very large. File Only is very fast but the plugin does not process the logs itself as that would take far more resources. For most users or smaller sites Database Only should be fine. If you have a very large site or a log processing software then File Only might be a better option. Suggestion: Database Only.

Days to Keep Database Logs: The number of days database logs should be kept. File logs will be kept indefinitely but will be rotated once the file hits 10MB. Suggestion: If you use log files (rather than database logs), keep them for 30 days.

Path to Log Files: The path on your server where log files should be stored. This path must be writable by your website. For added security, it is recommended you do not include it in your website root folder.

Note that the default location is in your wp-content folder (/home/USERNAME/public_html/wptransfer/wp-content/uploads/ithemes-security/logs). Keep logs, backups, etc. out of your wp-content folder. You’ll have to find out what folder is good for this use; many hosting companies will use something like /home/USERNAME/logs/ so a good location might be /home/USERNAME/logs/ithemes-security

Add InfiniteWP Compatibility: Turning this feature on will enable compatibility with InfiniteWP. The main use of InfiniteWP is for managing updates in many sites more easily. If you have more than one site, look into this. It is free, for unlimited sites. Suggestion: Use InfiniteWP or another like it, if you have more than 3 WordPress installations, single site or multi-site.

Disable File Locking: Turning this option on will prevent errors related to file locking however might result in operations being executed twice. We do not recommend turning this off unless your host prevents the file locking feature from working correctly.

Override Proxy Detection: If you’re not using a proxy service such as Varnish, Cloudflare or others turning this on may result in more accurate IP detection. Suggestion: unless you are following up what IP addresses are causing problems, and most people won’t, you won’t care; so turn on the override, which might result in less work for your server.

Hide Security Menu in Admin Bar: If you have many people accessing the admin bar (as Editor or Author), you might want to do this; only people who understand the implications of the different security options will want to see the security menu. (It is still available, but not in the admin bar at the top of the screen.) Suggestion: leave it un-hidden.

Show Error Codes: Each error message in iThemes Security has an associated error code that can help diagnose an issue. Changing this setting to “Yes” causes these codes to display. This setting should be left set to “No” unless iThemes Security support requests that you change it.

This causing error codes to be displayed, means hackers might be able to find a way around some portion of the security. Anyone found how to have the associated error code be logged instead, so only an administrator can see it?

404 Detection

Automatically block users snooping around for pages to exploit.

404 detection looks at a user who is hitting a large number of non-existent pages and getting a large number of 404 “File Not Found” errors. 404 detection assumes that a user who hits a lot of 404 errors in a short period of time is scanning for something (presumably a vulnerability) and locks them out accordingly. This also gives the added benefit of helping you find hidden problems causing 404 errors on unseen parts of your site. All errors will be logged in the “View Logs” page. You can set thresholds for this feature below.

This log is a good thing to check — any file being hunted for by many hackers is a good candidate to block in .htaccess, before WordPress gets loaded; this would cut down the resources your account uses, sometimes substantially.

Your lockout settings can be configured in Global Settings.

Permanently ban: yes

Number of lockouts before permanent ban: 3

How long lockouts will be remembered for ban: 15

Host lockout message: You Are Blocked

User lockout message: You have been locked out due to too many invalid login attempts.

Is this computer white-listed: yes

Minutes to Remember 404 Error: The number of minutes in which 404 errors should be remembered and counted towards lockouts.

I increased this from the default, to 60 minutes.

Error Threshold: The numbers of errors (within the check period time frame) that will trigger a lockout. Set to zero (0) to record 404 errors without locking out users. This can be useful for troubleshooting content or other errors. The default is 20.

This is a great test for hacking activity. Never set this to zero. Hackers are probing for WordPress plugins with known vulnerabilities. If they find one file that identifies your site has a plugin installed, they then test for the vulnerable file. (Most people do not keep their plugins and themes updated. Very important you update frequently.)

404 File/Folder White List: Use the white list to prevent recording common 404 errors. If you know a common file on your site is missing and you do not want it to count towards a lockout record it here. You must list the full path beginning with the “/”.

I have not tested whether putting the root (e.g. /apple-touch-icon.png) works for all sub-folders. I simply put the most commonly requested files that aren’t on my site. Check what files are generating 404 errors, that are not hackers looking for security vulnerabilities (okay, let’s just say “files you know are good”, like the apple-touch-icon). Of course, another solution is provide the files that are expected.

Ignored File Types: .jpg
.jpeg
.png
.gif
.css

File types listed here will be recorded as 404 errors but will not lead to lockouts. Images and movies are good; don’t put .php or .html or .js or any other common web site files.

Away Mode

Disable access to the WordPress Dashboard on a schedule.

As most sites are only updated at certain times of the day it is not always necessary to provide access to the WordPress dashboard 24 hours a day, 7 days a week. The options below will allow you to disable access to the WordPress Dashboard for the specified period. In addition to limiting exposure to attackers this could also be useful to disable site access based on a schedule for classroom or other reasons.

I set mine to disabled between 2am and 8am. Just remember, if you are working late on your site, and suddenly can’t access your pages, that you have this setting on. (Your site didn’t somehow get broken, or hacked, or anything else… simply go to bed and come back in the morning.)

Banned Users

Block specific IP addresses and user agents from accessing the site.

This feature allows you to completely ban hosts and user agents from your site without having to manage any configuration of your server. Any IP addresses or user agents found in the lists below will not be allowed any access to your site.

As a getting-started point you can include the blacklist developed by Jim Walker of HackRepair.com.

You can ban IP addresses or CIDR blocks. But updating this list based on daily hacker attempts is a waste of your time; the hackers will constantly change IP addresses. Use this list for persistent nuisances; or even better, update a list in .htaccess, blocking them before WordPress gets loaded.

Better than blocking by IP address, which can change as hackers expand their network of computers, see if there is a behavior that can be blocked, such as using a file name or part of a folder name, or part of a “query string”, or part of the “user agent”. See Building the Jeff Starr Blacklist, or get the latest version 6G Blacklist

Ban User Agents: Specify the “user agents” (a way for web browsers to identify themselves for special styling or content) that will not be allowed access to your site.

Local Brute Force Protection

Protect your site against attackers that try to randomly guess login details to your site.

If one had unlimited time and wanted to try an unlimited number of password combinations to get into your site they eventually would, right? This method of attack, known as a brute force attack, is something that WordPress is acutely susceptible to as, by default, the system doesn’t care how many attempts a user makes to login. It will always let you try again. Enabling login limits will ban the host user from attempting to login again after the specified bad login threshold has been reached.

Your lockout settings can be configured in Global Settings.

Max Login Attempts Per Host: The number of login attempts a user has before their host or computer is locked out of the system.

Says you can set to 0 to record bad login attempts without locking out the host. Bad idea. Hackers really are trying to guess your passwords, and your password (unless computer generated random letters and symbols, and minimum 10 characters long) is far easier to guess than you think.

Max Login Attempts Per User: The number of login attempts a user has before their username is locked out of the system. Note that this is different from hosts in case an attacker is using multiple computers. In addition, if they are using your login name you could be locked out yourself.

Automatically ban “admin” user: Immediately ban a host that attempts to login using the “admin” username.

This is essential. The default user name “admin” is used on most sites; hackers know this. If you use “admin”, hackers only have to guess your password.

You should also configure your Users to display a nickname that doesn’t give away the login name; hackers know how to read your posts for user names.

If your administrator user name is “admin” there is an option in iThemes Security to change it.

Database Backups

Create backups of your site’s database. The backups can be created manually and on a schedule.

One of the best ways to protect yourself from an attack is to have a database backup of your site, and a full backup of all files on your site. If something goes wrong, you can get your site back by restoring the database from a backup and replacing the files with fresh ones.

Very important your don’t use more than one program to make backups. 1) most backup plugins don’t check for other backups stored in other places on your account, other than their own, and will insert those backup files in their own backup; each backup becomes much larger. 2) Backups take resources; you can max out your hosting accounts resources.

Never keep your backup anywhere inside wp-content/ since if hackers steal a copy of your database, they are much more likely to be able to guess your WordPress user name and password — instead of 100,000 guesses in a few hours via an unprotected WordPress login page, or in a week on a protected login page, they can make billions of guesses in a single second. Strong Passwords for WordPress.

Some plugins can create log files in your database. While these logs might be handy for some functions, they can also take up a lot of space and, in some cases, even make backing up your database almost impossible. Select log tables to exclude their data from the backup. Note: You should backup the structure of the table itself, but not the data in the table.

File Change Detection

Monitor the site for unexpected file changes.

Even the best security solutions can fail. How do you know if someone gets into your site? You will know because they will change something. File Change detection will tell you what files have changed in your WordPress installation alerting you to changes not made by yourself. Unlike other solutions, this plugin will look only at your installation and compare files to the last check instead of comparing them with a remote installation thereby taking into account whether or not you modify the files yourself.

Unfortunately, this scan currently doesn’t distinguish files changed in a WordPress update, a plugin update, a theme update. You’ll constantly get alerts about file changes, when you really want to know only about changes made by potential hackers.

On many shared hosting accounts, this can take up all your account resources. If you have this turned on, make sure to exclude any folders that have many files, especially large files such as videos. If you have wp-cron.php run by a Linux cron job (good to do), make sure the cron job is infrequent enough that this file check always completes; otherwise the cron job will start it again (and then you’ll have multiple scans running, all the time).

Only have one plugin do file change detection; for example iThemes Security and Sucuri both have this, disable it in all but one plugin.

Split File Scanning — Splits file checking into 7 chunks (plugins, themes, wp-admin, wp-includes, uploads, the rest of wp-content and everything that is left over) and divides the checks evenly over the course of a day. This feature may result in more notifications but will allow for the scanning of bigger sites to continue even on a lower-end web host.

File Permissions

Lists file and directory permissions of key areas of the site.

Follow all these recommendations. You change permissions via FTP, or via SSH, or request your technical support change them.

You may get errors on some hosts. If needed, increase the permissions so your site runs.

Hide Backend

Hide the login page by changing its name and preventing access to wp-login.php and wp-admin.

Hides the login page (wp-login.php, wp-admin, admin and login) making it harder to find by automated attacks and making it easier for users unfamiliar with the WordPress platform.

If you change the locations of the login and admin pages, you will have to train all your users.

Network Brute Force Protection

Join a network of sites that reports and protects against bad actors on the internet.

If one had unlimited time and wanted to try an unlimited number of password combinations to get into your site they eventually would, right? This method of attack, known as a brute force attack, is something that WordPress is acutely susceptible to as, by default, the system doesn’t care how many attempts a user makes to login. It will always let you try again. Enabling login limits will ban the host user from attempting to login again after the specified bad login threshold has been reached.

Network vs Local Brute Force Protection

Local brute force protection looks only at attempts to access your site and bans users per the lockout rules specified locally. Network brute force protection takes this a step further by banning users who have tried to break into other sites from breaking into yours. The network protection will automatically report the IP addresses of failed login attempts to iThemes and will block them for a length of time necessary to protect your site based on the number of other sites that have seen a similar attack.

SSL

Configure use of SSL to ensure that communications between browsers and the server are secure.

Secure Socket Layers (SSL) is a technology that is used to encrypt the data sent between your server or host and a visitor to your web page. When SSL is activated, it makes it almost impossible for an attacker to intercept data in transit, therefore making the transmission of form, password or other encrypted data much safer.

This plugin gives you the option of turning on SSL (if your server or host supports it) for all or part of your site. The options below allow you to automatically use SSL for major parts of your site such as the login page, the admin dashboard or the site as a whole. You can also turn on SSL for any post or page by editing the content and selecting “Enable SSL” in the publishing options of the content in question.

This doesn’t support self-signed SSL certificates, though a simple line added to wp-config.php will force using https:// for your login and admin pages. There are now versions of cPanel that have the ability to make and install self-signed certificates; look for hosting providers that go beyond that to use LetsEncrypt to give you free SSL certificates that are signed by them (not signed by you).

I am using self-signed SSL, generated via cPanel. Even though iThemes says the “server does not appear to support SSL”, my admin pages are encrypted, via wp-config.php setting.

Note: While this plugin does give you the option of encrypting everything, SSL may not be for you. SSL does add overhead to your site which will increase download times slightly. Therefore we recommend you enable SSL at a minimum on the login page, then on the whole admin section and finally on individual pages or posts with forms that require sensitive information.

Note: When turning SSL on you will be logged out and you will have to log back in. This is to prevent possible cookie conflicts that could make it more difficult to get in otherwise.

Strong Password Enforcement

Force users to use strong passwords as rated by the WordPress password meter.

You can select the minimum Role for requiring Strong Passwords

System Tweaks

Advanced settings that improve security by changing the server config for this site.

Note: These settings are listed as advanced because they block common forms of attacks but they can also block legitimate plugins and themes that rely on the same techniques. When activating the settings below, we recommend enabling them one by one to test that everything on your site is still working as expected.

Protect System Files – Prevent public access to readme.html, readme.txt, wp-config.php, install.php, wp-includes, and .htaccess. These files can give away important information on your site and serve no purpose to the public once WordPress has been successfully installed.

Directory Browsing – Prevents users from seeing a list of files in a directory when no index file is present. (This should work without problems on every host.)

Request Methods – Filter out hits with the trace, delete, or track request methods. (I know of no uses in WordPress for these, filtering these seems to cause zero problems.)

Filter Suspicious Query Strings in the URL – These are very often signs of someone trying to gain access to your site but some plugins and themes can also be blocked.

I have identified several cases where I rewrote the iThemes Security rule to allow exceptions to the rule. Contact me if you want to keep the rule for most cases, but have a specific exception.

If something isn’t working on your site, open your browser’s tool (Firefox: Tools, Web Developer, Network; Chrome: Inspector) and check for files that return a 403 Forbidden error. These are usually from a security tool, either on your site or by your hosting provider.

Non-English Characters: Filter out non-English characters from the query string. This should not be used on non-English sites and only works when “Filter Suspicious Query String” has been selected.

Long URL Strings: Limits the number of characters that can be sent in the URL. Hackers often take advantage of long URLs to try to inject information into your database.

File Writing Permissions: Prevents scripts and users from being able to write to the wp-config.php file and .htaccess file. Note that in the case of this and many plugins this can be overcome however it still does make the files more secure. Turning this on will set the UNIX file permissions to 0444 on these files and turning it off will set the permissions to 0664.

There are many poorly-written plugins and themes that use uploading images or other files into the wp-content/uploads folder. Hackers can upload files named as images, that are actually malware; they can then execute them directly (not using WordPress, but rather by URL). This is often the initial phase of an attack, that then downloads many files onto your server to do malicious things.

“Disable PHP execution in the uploads directory” is one of the most important settings. You can implement this directly in .htaccess if you want, but you must implement it. RewriteRule ^uploads/.*\.(?:php[1-6]?|pht|phtml?)$ - [NC,F,L]

WordPress Tweaks

Note: These settings are listed as advanced because they block common forms of attacks but they can also block legitimate plugins and themes that rely on the same techniques. When activating the settings below, we recommend enabling them one by one to test that everything on your site is still working as expected.

Remember, some of these settings might conflict with other plugins or themes, so test your site after enabling each setting.

Windows Live Writer Header: This is not needed if you do not use Windows Live Writer or other blogging clients that rely on this file.

EditURI Header: Remove the RSD (Really Simple Discovery) header. If you don’t integrate your blog with external XML-RPC services such as Flickr then the “RSD” function is pretty much useless to you.

Reduce Comment Spam: This option will cut down on comment spam by denying comments from bots with no referrer or without a user-agent identified.

File Editor: Disables the file editor for plugins and themes requiring users to have access to the file system to modify files. Once activated you will need to manually edit theme and other files using a tool other than WordPress.

The WordPress file editor is used by hackers. Disable it, always. It is much harder for beginners to edit files in that, vs a programmers editor with syntax coloring, such as NotePad++ (free, cross-platform Windows or OSX or Linux, search for “notepad++ download”).

XML-RPC: WordPress’ XML-RPC feature allows external services to access and modify content on the site. Common example of services that make use of XML-RPC are the Jetpack plugin, the WordPress mobile app, and pingbacks. If the site does not use a service that requires XML-RPC, select the “Disable XML-RPC” setting as disabling XML-RPC prevents attackers from using the feature to attack the site.

You truly do not need trackbacks and pingbacks. Most of these you might get, are from spammers, if you do enable them. XML-RPC has so many security problems, do not enable it.

Replace jQuery With a Safe Version: Lets you remove the existing jQuery version used and replace it with a safe version (the version that comes default with WordPress).

Enable this, though you will likely never see a version of jQuery that isn’t safe.

Disable Login Error Messages: Prevents error messages from being displayed to a user upon a failed login attempt.

These messages help hackers know what wasn’t right about the last login attempt, for example they could know they got the user name right and therefore only try different passwords.

Force Unique Nickname: This forces users to choose a unique nickname when updating their profile or creating a new account which prevents bots and attackers from easily harvesting user’s login usernames from the code on author pages. Note this does not automatically update existing users as it will affect author feed urls if used.

Disable Extra User Archives: Disables a user’s author page if their post count is 0. This makes it harder for bots to determine usernames by disabling post archives for users that don’t post to your site.

WordPress Salts

Update the secret keys WordPress uses to increase the security of your site.

A secret key makes your site harder to hack and access by adding random elements to the password.

In simple terms, a secret key is a password with elements that make it harder to generate enough options to break through your security barriers. A password like “password” or “test” is simple and easily broken. A random, unpredictable password such as “88a7da62429ba6ad3cb3c76a09641fc” takes years to come up with the right combination. A salt is used to further enhance the security of the generated result.

Change Content Directory

Advanced feature to rename the wp-content directory to a different name.

By default, WordPress stores files for plugins, themes, and uploads in a directory called wp-content. Some older and less intelligent bots hard coded this directory in order to look for vulnerable files. Modern bots are intelligent enough to locate this folder programmatically, thus changing the Content Directory is no longer a recommended security step.

This tool provides an undo feature after changing the Content Directory. Since not all plugins, themes, or site contents function properly with a renamed Content Directory, please verify that the site is functioning correctly after the change. If any issues are encountered, the undo feature should be used to undo the change. Please note that the undo feature is only available when the changes added to the wp-config.php file for this feature are unmodified.

IMPORTANT: Deactivating or uninstalling this plugin will not revert the changes made by this feature.

IMPORTANT: Ensure that you create a database backup before changing the Content Directory.

WARNING: Changing the name of the Content Directory on a site that already has images and other content referencing it will break your site. For this reason, we highly recommend only changing the Content Directory on a fresh WordPress install.

Change Database Table Prefix

Change the database table prefix that WordPress uses.

By default, WordPress assigns the prefix wp_ to all tables in the database where your content, users, and objects exist. For potential attackers, this means it is easier to write scripts that can target WordPress databases as all the important table names for 95% of sites are already known. Changing the wp_ prefix makes it more difficult for tools that are trying to take advantage of vulnerabilities in other places to affect the database of your site. Before using this tool, we strongly recommend creating a backup of your database.

Note: The use of this tool requires quite a bit of system memory which may be more than some hosts can handle. If you back your database up you can’t do any permanent damage but without a proper backup you risk breaking your site and having to perform a rather difficult fix.

WARNING: Backup your database before using this tool.

Pro: Malware Scan Scheduling

Protect your site with automated malware scans. When this feature is enabled, the site will be automatically scanned each day. If a problem is found, an email is sent to select users.

This is currently performed by Sucuri.

Pro: Privilege Escalation

Allow administrators to temporarily grant extra access to a user of the site for a specified period of time.

Pro: Password Expiration

Strengthen the passwords on the site with automated password expiration.

Pro: reCAPTCHA

Protect your site from bots by verifying that the person submitting comments or logging in is indeed human.

This is good, and bots are already restricted by the login attempts feature.

Pro: Settings Import and Export

Export your settings as a backup or to import on other sites for quicker setup.

If you maintain more than one site, this will save you all the time you put into configuring iThemes Security the way you like.